Open a spreadsheet, fill out a risk register, and groan quietly. That does not always need to be the way risk management is handled, especially not when it comes to security, according to CISO of News International, Amar Singh. At Computer Weekly, Warwick Ashford writes about Singh’s perspective and how good communication can be a form of risk management in itself.
Singh likes to talk to every business manager about risk in every context of the business, so that he is subsequently able to offer useful aid to any form of risk management they choose to adopt. Talking to administrators also gives Singh the ability to casually introduce basic and effective risk management concepts in a way that they are able to incorporate it into their standard routines, which is simpler and cheaper than trying to introduce an organization-wide project to implement a risk management framework. There is the added benefit of making people feel more involved in the company, which causes them to spend more effort. Framing security in terms of risk can also help when dealing with finances:
According to Singh, one of the most obvious benefits of a risk-based approach to security is that making a business case for investments at budget time is much easier. It is difficult to get budget for “addressing software security,” but relatively easy to get budget for technology that reduces or eliminates the risk of a £2m fine for poor software security practices, he said. “A risk-based approach enables IT security professionals to articulate the need for investment or other action in terms that the business is better able to understand,” said Singh. Information technology underpins just about everything people do in business today, he said, which also provides an opportunity to engage with everyone across an organisation and get buy-in.
Incorporating key performance indicators can justify big projects while sidelining technology, as managing risk is the overall goal, not just logging in details of those risks. Consider the power of a friendly chat in infecting all your colleagues with the risk management bug.